Access Control List
ACLs can be used for interfaces, as well as global
Interface access control lists can only control traversal traffic (except session connections)
All traffic terminated to the ASA, controlled by different administrative access lists (e.g. SSH 0 0 DMZ)
All the ASA initiated is allowed
The ASA configures the same priority ACL is to squeeze the original and the router is directly replaced
Interface rules and security
Default: Outbound (High-low) allow, inbound (low-to-high) rejection
Interface rules: input (Main) control change interface entry, output control out
enable password cisco //telnet requires the Enable password same-security-traffic permit inter-interfacesame-security-traffic permit intra-interfaceaccess-list out extended permit tcp any host 192.168.117.100 eq telnet // Two aclaccess-list out extended permit tcp any host 192.168.112.100 named out eq www access-list out extended deny ip any any log //log deny Packet access-group out in interface outside //applies out acl-list to the outside interface router ospf 1 //the following routes network 192.168.12.0 255.255.255.0 area 0 network 192.168.17.0 255.255.255.0 area 0 log-adj-changes default-information originate always time-range onwork //set a time range periodic weekdays 9:00 to 19:15 access-list out line 1 extended permit tcp host 192.168.116.100 host 192.168.117.100 eq telnet time-range onwork //acl takes effect within the time frame
Objet-group
A network segment protocol port can be made into a collection for invocation, and can be nested to call
.....................................
This article is from the "Try" blog, so be sure to keep this source http://beening.blog.51cto.com/9079117/1788164
ASA access control list with cross-user authentication _03